(re-sending this, as my last attempted came from the wrong address and got bounced.)
Hey all!
Thanks for a good discussion.
Peoples' expectations from e-mail are indeed very low today. The user
experience of e-mail is badly broken today and relays doing surprising
things (in the name of security or spam protection) are the main reason
why. I am very keen to improve the situation, and this desire has very
little to do with security.
Regarding relay servers vs. direct p2p, and protection of the social
graph: I think the idea that monitoring the entire Tor network is
somehow easier than compromising a few relay servers and simply
watching the logs, to be patently ludicrous. :-) I tend to assume the
relay is a potential adversary, which is an assumption folks may not
agree with, but is supported by history and the current state of the
network.
I will admit that I haven't given much thought to the costs/benefits of
shared mailboxes, but it seems they should help against adversarial
relays. Obviously they're going to waste lots of bandwidth as you have
to download everyone's mail, but it seems they will also be very
dependent on a critical mass of users actually using the systems.
SMTorP hits the ground running and has some very real potential
usability benefits (improving the user experience, not just matching the
current woeful state of affairs). I'm of the opinion that if we want to
improve peoples' security, we have to provide them with tools they
actually want for other reasons. If I can tell people "with SMTorP you
no longer have to wonder when the mail was delivered or whether it ended
up in their spam folder", then many will switch for that reason alone. I
will be the first to admit that there are more secure ways to exchange
messages, but security just isn't the only concern.
This is one of the main reasons I'm really not keen on relays. They kill
the usability benefits I am shooting for, add back all the old shit from
legacy SMTP and add another potential point of compromise and attack.
Regarding case for/against send vs. receive relays in SMTorP, is we were
introducing relays to address the concern that some users are not online
often enough - not to improve security (I consider relays to be a
security weakness, not a strength).
Since SMTorP addresses are just something at foo.onion, if you use a
receive relay then the relay operator owns your e-mail address, making
him a middle man you cannot get rid of without changing addresses and
notifying all your contacts. With a send relay, he does not have this
position of power or influence. Also, I can bypass the sending relay
most of the time when I am online, and just dump data to it when I feel
the need (obviously this would complicate the UI to the point that this
feature might not ever be implemented in practice, but it is an option
and one that might well be valued by users who have enough need for
security that they are willing to educate themselves a bit).
Hope this clarifies!
- Bjarni